Thank you for watching.
Thank you for watching.
Thank you for watching.
Thank you for watching.
I'm an ex-Fed, retired Fed, and I'm going to show you a couple PowerPoint interspersed with some video.
I guess the first thing to tell you about is that this isn't working.
Well, the keyboard is close enough.
This presentation was originally titled Hacking the Mind.
And having gotten together with a couple of friends, decided that maybe we would change the title a tad bit.
I have...
I have a dubious distinction of having, while I was still working, profiled a Unabomber.
Only the FBI didn't believe me.
So I'm going to talk about that and hacking that particular wireless media.
That's Theodore Kaczynski, now a guest of all of you who pay taxes.
The FBI now calls this technique criminal investigative analysis, more commonly referred to as psychological profiling.
Began at the FBI Academy back in the mid-70s with agents who had been trained in criminology and psychology.
Looking at cases for investigators who were there.
They were there for training.
That led to interviewing people who had been convicted and were imprisoned and who were willing to talk to us.
Extensive interviews of serial killers and serial rapists.
From that we developed what we call protocol.
It's a standardized set of questions that we could apply to...
other cases not yet investigated.
All of that was done unofficially.
We did it on our own in our spare time when we were doing something else.
We were putting on training somewhere around the country.
We would go to a prison where one of these guys was at.
After we developed the protocol, then the FBI let us do it a third time.
Some of the notoriety that came from that helped to narrow the focus of investigations.
From the movies that you see, how many of you have seen the movie Profiler on television?
The appearance is that it presents a specific individual basis of looking at the cases.
That's not what happens.
What happens is that it focuses on a particular type of individual, a behavioral or psychological type.
The media was attracted because of some of the successes early on.
More successes and then probably the biggest boost that we got was from the movie Silence of the Lambs.
Just a brief history of the Unabomber case.
The first bombing occurred at Northwestern University.
It wasn't recognized as a Unabomber then.
This was just the very first bomb.
The package had been left at the University of Illinois, Chicago and then transported to Northwestern University.
The package was addressed to a professor there.
The third bomb.
The fourth bombing was an attempt to bring down an airline flight from Chicago O'Hare to Washington National Airport.
Fortunately the bomb wasn't successful.
He was still in his learning mode then.
It was after the fourth case, which was the bombing of the president of United Airlines, that forensically they were able to link the four bombs.
Previously they were just forced to leave.
They were separate bombs.
Now we had what was called a Unabomber case.
University and airline was what that awkward acronym stands for.
University and airline bombings.
In December the 11th, 1985, the first murder, the first bombing that resulted in a death was in Sacramento, California.
Hugh Scruton owned a computer store.
Within a couple of weeks, the first profile was developed.
I had not worked on that case at that time.
In 1987, at another computer retailer, the Unabomber was spotted.
And that's where the first sketch was made.
The first sketch that some of you may have seen came from.
He was spotted and although years later we thought that that particular sketch didn't look much like him, he thought it did and he went to ground.
Six years later, he simultaneously struck two people.
One in the Bay Area, Tiburon, north of San Francisco.
A geneticist, physician, Charles Epstein.
And then, sorry, June 22nd, 1993, Charles Epstein, June 24th, 1993, at Yale University, professor of computer sciences, David Gleitner.
The bombs were mailed at the same time.
Gleitner was out of town and came back the next day.
They were intended to kill him.
They were intended to kill both people at the same time.
And it was only a quirk of luck that Gleitner didn't open his package until two days later.
Both of them survived.
Both of them had, were very seriously injured.
Both of them, as it happens, was coincidental, we couldn't find any link to it, were concert pianists.
Both of them had most of their hands blown away.
Two days later, the Attorney General, then Janet Reno, directed that a task force be established.
A combination of the FBI, the postal service, and alcohol, tobacco, and firearms.
Sent people to San Francisco to work on the investigation.
I had been, had spent most of my career at our academy where the behavioral sciences unit is located.
At Quantico, Virginia.
In 1991, I transferred to San Francisco.
But I was managing some computer databases there for a non-criminal kind of work.
But I had this training.
So when the Attorney General directed that they gear up, they had the task force ask for me to work on the case.
In the behavioral community.
And I had the capacity.
But it wasn't to do a profile, because they already had a profile in hand.
What they wanted me to do was to interview all the living victims.
And to find out what they had in common.
What they had in common was computers.
They all used or made use of computers in some way.
So I had to figure out what they had in common.
In preparation for the interview, I looked at all those cases from 1978 to the present.
Which present at that time was 1993.
I looked at all the cases.
I looked at all the crime scene photographs.
And I looked at all the forensic analysis reports.
That is how the bombs were put together.
And what debris was left from the bombings.
I did that in order to prepare myself to interview these victims.
Because they didn't want a profile.
But since those are the ingredients for doing a profile.
And since I hadn't worked on it.
I thought it would be interesting to see what a new review would do.
So I did a profile.
And sent it to Quantico.
But it was put aside because more important work was needed.
After all, they said they already had a profile.
Information technologies.
More technology at that point in history applied to a criminal investigation than had ever occurred in the history of the FBI.
Imagine pulling together records from the 1960s.
Computer records.
Files on tape.
Pulling those together.
And integrating them into a system that could be read in a single time.
A single medium.
That was quite a task.
We drew on probably every kind of computer technology there is.
Including super computers.
To consolidate, commingle, and coordinate those files.
Bringing them together from all the offices around the country where there had been bombings.
There was an 800 number set up.
And a million dollar reward offered.
Then I suggested.
That because the people that had been bombed had been using computers.
That we might get some help from people who used the net.
So after a long time I got permission.
But the FBI didn't have in 1993 a capacity to use the web.
So I called on some friends at NASA down in Moffett Field.
And they said sure no problem.
We set up a website.
And set up an email account.
So we could get information in that fashion.
Victimology.
Victimology is about what the relationship is between the victim and the criminal.
By relationship I don't mean that they necessarily knew each other.
But how the victim comes to the attention of the criminal.
And so that was the point.
They had me there to try to find out what that link was.
And all of the living victims agreed to be interviewed.
We brought them to San Francisco for two days.
And we put them through their paces.
A protocol that I developed.
Which was a variation of the original protocol.
That data was correlated.
Cross tabulated.
And the question is.
Okay we hope that this will all point to some type of individual.
So what did it point to?
Nothing.
The only common characteristic of all the victims.
Was that they used computers.
It pointed therefore to no one.
The controversy around the case.
Came after the study.
That particular study was completed.
Because we had a change of command.
And the new guy wanted to know.
Wanted to be brought to speed.
What was going on with the case.
And we pulled out the profile that I had done in 1993.
There was a conflict.
A conflict between the physical.
Between the physical evidence that had been evaluated.
That is the forensic evidence.
And what I said in the profile.
That became a problem.
Later on.
Theodore Kaczynski.
We didn't know it was that name yet.
The Unabomber.
Demanded that his manifesto be published.
He said publish.
My views.
Or.
I'll bomb again.
He demanded.
Made that demand of the New York Times.
And the Washington Post.
Consideration was given to this.
What they were going to do.
Whether they should do this or not.
It was.
Breaking new ground.
He made another demand.
He upped the ante.
He said that if we didn't publish.
He was going to blow up a plane.
In or out of LAX.
The manifesto was published.
And he wrote back and said.
Just kidding.
I didn't mean that I was going to blow up a plane.
There's an interesting sideline.
When he was arrested in 1996.
In Lincoln, Montana.
In his cabin.
There were two bombs already completed.
And one in partial development.
I don't think he had any intention to stop bombing.
He was rationalizing.
His behavior to get what he wanted.
Let me show you a section of tape here.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
That's a segment from Johnny Mnemonic.
That's part of the work.
We got the title for this presentation.
That's the wet wear.
Let me show you what the difference between the two profiles were.
In 1985, the first profile ...
The first profile said that he was in his early 30s, that he was a loner.
That he was poorly educated.
That whatever background he had, it was social science and he was a dropout.
He was probably an airline industry's employee who was disgruntled or had been fired.
The profile that I did said he was in his early 50s.
That he was anti-technology Luddite.
That he was very well educated.
Probably in the hard sciences.
I suspected engineering or math.
And that he probably had a graduate degree, possibly a PhD, and he was an academic.
This flew in the face of everything that had been believed about the Unabomber up to this
point in time.
They had forensic evidence.
They said it couldn't be.
When Theodore Krasinski was arrested in 1996 in Lincoln, Montana, after the manifesto
was published.
And that was in 1990.
Thanks to his brother.
His brother, David, is the one who recognized the writings.
Question?
Q1 Can you talk about the communications received by the Unabomber ?
The communications received from the Unabomber were letters.
He sent letters.
Q2 Do you have any more information?
Q3 If they can help me out.
Thank you.
when he was arrested. He had a Ph.D. in mathematics from the University of Michigan. His undergraduate
degree was from Harvard. He had never worked in the airline industry, but he was very smart
and was able to put things together. So let me bring you to the point about applying these
tools to cracking. Let me show you a little example of a videotape here.
Okay, what I was trying to show you is from Blade Runner. You remember what happened there.
They had a gizmo that they provoked a response.
With regard to this, I think that since we're all creatures of habits, we tend to repeat
what works for us, what feels good, and in the repetition of certain kinds of activities,
criminal activities, that's referred to by the police as MO, modus operandi, the way we work.
The trouble is that generally when that happens and the criminal learns about it, he changes
the way he does business. But there's some things that we can't change. We can't change
them because they're part of the reason we do what we do. Criminals are the same. People
who commit certain kinds of crimes commit them in a certain way and won't change them
even if aware that the police know about them. That's referred to as a signature.
All orders, set.
You know what a turtle is?
Of course.
Same thing.
There's some very interesting research that's going on currently at UCLA at the Brain Mapping Center.
It's a spinoff from the Human Genome Project. Professor Mazzi Atta and others are working
on this research. They're trying to find out how the brain functions, in what ways it works,
combined with something that's a little bit older called neuro-linguistic analysis.
You probably know it as handwriting analysis. And the common phrase is, what you write is
who you are. The way you write, your style of writing, the words you choose are all part
of your identity. Your technique, the cadence that you use on the keyboard, the rhythm and
the keystroking that you use, the quirks of the way you name files, the spelling that you use.
And if you combine that with a stimulus that elicits a response, you can be identified.
I don't think there's any microphones out there now.
But are there some questions about this and how this can be applied to cracking?
And what its implication is?
One of the reasons that I'm doing this kind of research now, as I said, I'm retired.
I teach at a university.
Because I think that there's a lot of bad press that people have gotten.
And sometimes people get into trouble.
Going just a little too far.
I think it's important to be able to identify characteristics that are reflective of serious criminals.
Real serious criminals.
There's a difference between people who commit what I'll call crimes of passion.
You get upset about something and you take a swing at somebody that under other conditions you wouldn't.
There's a difference between that and somebody like Ted Bundy.
And the people that we need to focus on are people who are taking advantage of society.
People who want to bring down airplanes.
People who have no concern for other individuals.
That's different than what the historical term of hacking is about.
So I think that the tools, if applied correctly,
can be a big service to this community.
I'm interested in talking to people who have gotten in trouble.
And what their motivation is and how they thought about what they're doing.
I think that in the long run, that that kind of research is going to be helpful to you.
And not simply a tool for law enforcement.
You know, as you think about it,
think about what damage is done.
And the law enforcement community talks about people going over the line.
Here's what Theodore Kaczynski did in the course of 17 years.
His rationalization was that he wanted to stop technology.
That technology had gone too far.
He hurt very seriously maimed people.
23 of them.
And three people are dead.
Three people were blown to pieces because having gone too far.
Here's some sources of information that I think might be useful to you.
The websites that are there.
The first one, the first URL is a historical chronological.
A count of the bombings.
When they occurred.
Where they occurred.
In different parts of the country.
The second one is an article from U.S. News and World Report about the controversy of the profile.
And the third URL is a link to an interview that was done by Richard Thiem.
If you were here.
The other day for Black Hat.
Richard Thiem spoke.
I believe he's speaking here at DEFCON as well.
He interviewed me for an article that appeared in the April issue of Information Security Magazine.
The book that's listed there.
Author unknown by Donald Foster.
He's a professor at Vassar.
An English professor.
He is a very interesting guy.
He's written a very interesting book about the identification of people from what they're writing.
Their anonymous writings.
He's the guy who identified the author that published a book anonymously called Primary Colors.
The author was Joe Klein.
He denied it at first.
And then it was finally revealed.
And Don Foster did some work on the Unabombe case.
But he's written a fascinating book.
It's a very interesting read about how one can be identified from their writings.
And the last recommendation on there is from the August issue of Wired Magazine.
And it talks about neurotechnology research being done at UCLA at the Brain Research Center.
I couldn't catch that.
That's the URL for that.
For the online version of it.
But it's in the August issue of Wired.
Ken Olthoff and Kevin Manson and Don Cavender, who's maybe here.
Jim Christie helped with some ideas for this presentation.
The...
I know that a lot of the concern on the part of this audience, this community, is concern about law enforcement.
What they're doing.
Why they're doing it.
And I think it's a great thing that they have these contests about the Fed.
And that's a great way to get together.
But if you really want to be part of a community.
Kevin Manson and I talked yesterday about being good.
Netizens.
Being part of something that contributes to the good.
Rather than being on the fringe.
Being on the outside.
Then this is a way to do it.
This is a way to do it by thinking about what you're doing.
And observing the kinds of behaviors that are damaging rather than contributing.
Questions?
Questions?
Comments?
Questions?
With cases of breaking into things online, is there generally a large amount of evidence that can be used for profiling in those cases?
Or does it tend to be just like, oh, they probably used this script?
Well, I think that's an interesting question.
And I think that the evidence is there.
They just don't recognize what it is.
You know, the people that are investigating cases, usually what they're referred to as the first responders.
May come to a scene, whether it's a murder scene or whether it's somebody's bedroom with a computer in it.
Sometimes those first responders don't know what it is they're looking at.
And so the evidence, in any case, if it's not processed properly, then that will destroy the evidence.
Yesterday, Kevin Manson and I were talking about the cyber.
Cyber defenders program that's run by Fred Cohen out at College Cyber Defenders Program out in Sandia Labs in Livermore, California.
And the scholarship program.
If you weren't there and didn't hear about that, Kevin and I would be happy to give you some of the information on those resources.
Where you can get training.
And where these programs are available from the federal government.
The catch is you've got to work for the federal government for three years to pay back the scholarships that you get.
But part of it is a $1,000 a month stipend that goes with those scholarships.
The universities that are part of that program today, they'll grow.
The number will grow.
But right now I think they're the University of, I see Carnegie Mellon.
The Middle Postgraduate School.
Monterey.
Great place to go to school.
The University of Tulsa.
The University of Iowa State.
What am I missing?
Oh yeah, Purdue.
How could I miss Purdue?
Purdue University.
Those are the six schools right now.
But if you want to get some quality education and training and get it for free.
Those are places that are going.
One of the things that we found very interesting was that the federal government hasn't marketed this very well.
Because we couldn't find the places, good places on the web to get that information.
They were mostly news accounts.
But those are the universities and they apply directly to them, make inquiries to them.
You'll be able to find that information.
There are other places like the University of New Haven.
That has a forensics, computer forensics program.
And those are places to begin.
Are there any online resources about the programs that you're talking about?
The only online resources that we found were news accounts.
There weren't any places directly to apply.
But if you go to those universities.
To their web, to their websites.
You can probably find something about the program.
James Madison University.
Okay, James Madison University is another one in Virginia.
South of the DC area.
Okay.
James Madison University is part of a program called the Centers of Excellence.
And so their website is going to have a lot of very useful information about that as well.
I just wondered, there was such a discrepancy between the first profile and the one that was more accurate later.
Two questions.
First, to what do you attribute the change in technique or technology to make it more accurate?
And second of all, where I come from, we have a concern that because of the success of profiling,
it's become almost the bible of the industry.
And is it not in some ways?
Over generalizing to the place where a person might be considered guilty rather than innocent,
just on the basis of their profile.
Yeah, that certainly is a possibility.
And the FBI has continually said that this shouldn't be used as the first means to focus on individuals.
In fact, it's not intended to focus on individuals, but on behavioral types.
The fact that it has been used.
Used that way when the technique is, or the information is presented to the law enforcement agency.
The law enforcement agency then does whatever they're going to do.
It's kind of like, you go to your physician and he gives you a prescription and says take two of these a day.
If you take six of them a day, then it's not going to work the way the physician intended.
So that's a problem.
The other thing, the other issue is about why there was such a difference.
First of all, that, the first profile was done in 1998.
In 1985, I had a great deal of advantage in doing the second profile in 1993.
I had all of the information available from that entire period of time.
Why it wasn't listened to probably has more to do with mindset than it has to do with anything else.
I've said repeatedly that the FBI didn't not want to catch him.
They just thought that I was wrong.
That's all.
Are there any studies right now being done for profiling of hackers by the government?
Yeah, the question is, are there any studies being done of hackers?
Well, there's some studies that are being done.
I'm almost certain, as I sit here, that they're being done.
But I don't know where they're being done.
It's like, you know, in all the universities around the world,
around the country, there are people that are interested.
I've got one student I'm on a committee at Washington State University
who's interested in profiling, but she's more interested in profiling of conventional violent criminals
as opposed to people who use computers.
Dorothy Denning at Georgetown.
Profiling.
Dorothy Denning is a computer scientist at Georgetown,
and she's interested in that.
She's done some writing about behavior,
but I don't know that she's doing any research on that specifically.
Interesting topic.
It probably would be very helpful for people if they did.
What level of...
behavioral profiling?
What level of use of behavioral profiling does law enforcement currently use
against computer criminals and computer break-ins?
Do they use any at all right now, or what's the current state of that?
I've been retired for six years.
My opinion is they're probably doing little or none.
The applications of profiling, if you will, is being done in the foreign counterintelligence area.
I'd like to ask a question.
So in a recent article in a magazine they talked about...
In a recent article about...
In a Pearl magazine they had an article about simulating typos,
simulating the mistakes people make on keyboards.
Do you think it's possible to have automated systems that will trip up profiling algorithms like the ones you mentioned?
That's a really interesting question.
I think it's possible to do that through the use of artificial intelligence.
Several years ago, that was back in 1985, three of us worked on a program, an expert system, KES,
knowledge engineering systems software, to take what the human profiling process, how that was done,
and automated it into if-then questions.
And the program worked fairly successfully in experimental mode.
We hadn't applied it to actual cases.
We only applied it to closed cases where there was a known solution.
And running the data through the program,
it did work about 90% accuracy.
So the fine-tuning is something that probably had to be done.
Unfortunately, what happened is that the engineer that was on that project,
he left the FBI, went to work for the Tennessee Valley Authority.
I transferred to San Francisco, and the VAX 11785 got shut down.
The tape is sitting on a shelf somewhere.
So nothing ever happened with that.
Okay, come on down.
There's plenty of seats in front.
Nobody's going to pass the collection plate.
Nothing to risk by coming down here.
I was just going to ask how prolific the government's use of honeypots do you think they are?
How prolific and how much are they using them to profile hackers or crackers?
Well, I just got through showing you a slide.
I said that we tend to use what works and what feels good.
When honeypots are successful, they'll keep on making use of that tool.
I'm retired, so I don't know how extensively they're being used
by either federal government or a combination of federal and local law enforcement.
The shadow knows.
Other questions?
Are the profiling techniques still valid when you're dealing with different international types
as far as someone's nationality or country of origin?
Great question.
As a matter of fact, one of the things that, you know,
that I worked on, or let me back up.
One of the things that I told my colleagues is that all the research that we had done
were on American serial killers.
There are certainly social dimensions to the way we do things that are culturally based.
So I think that there probably are some unique differences that need to be taken into account.
And I know that the,
the British have been doing, a guy by the name of David Cantor has been doing research in England.
There's some research that's being done in profiling in Italy and in France.
Those are the only three places that I know of where that kind of research is being done
to try to compare the cultural and social differences between people who commit those kinds of crimes.
So far as I know, nobody else is doing any work
in the area.
I don't know of, of hacking.
Anywhere.
I can't see any hands.
No more hands.
No more questions.
Do you see any difference in the places within the United States,
as in the West Coast, the East Coast, the South, Midwest?
Yeah, I think that there are regional differences.
In 1985, using some voice recognition software,
when it would recognize, I was using Kurzweil at the time,
when it, when it was trained with somebody from Boston and then put in the hands of somebody
who's from Biloxi, Mississippi, the poor thing just went berserk.
So I think that there probably, just as there are some linguistic pattern differences,
there are probably some differences, again, culturally, based on the way,
the way we learn to, to use the techniques that we do.
If the second profile had been accepted,
do you think that Kaczynski would have been caught sooner?
Yeah, have, if the profile had been used, would it be caught sooner?
Yeah, I, I think that, that's would have happened.
But I'm not totally objective about that kind of a question.
If they had looked at academics, given all the databases
and the relational databases that have been built,
Peter Kaczynski was in four of those different databases.
But when the queries were made, it went right by him
because he was a very well-educated academic.
He wasn't an airline mechanic.
Pursuing that question just one step further,
did the profile of Kaczynski, either profile,
have any function in his eventual arrest
or identification, arrest and conviction?
Did either profile have any connection with his arrest and conviction?
Zero. None.
It is, and the reason is because when the manifesto was published,
the hope was, let me back up a little bit,
there were a number of people who had looked at the manifesto
privately and quietly for the FBI.
They had had professors of different fields,
including English literature, looking at it
and giving their assessment of what kind of person wrote this.
But the differences varied almost with the number of people
that looked at it.
It wasn't until the manifesto was published publicly
and David Kaczynski and his wife recognized the style of writing
that was in the manifesto with letters that he had written
over the years.
Kaczynski had been living in Montana for a number of years
and had an irregular but ongoing correspondence with his family
where he was ranting about some of the same things
that were in the manifesto.
So when they read the manifesto, they recognized this
and said this might be Ted.
They went to a private investigator.
Private investigator said you better contact the FBI.
That led to a surveillance.
That led to the arrest.
So the profiles, neither profile had any impact on the investigation.
As I said, I had retired when he was arrested.
It was only after the fact that that became a controversy.
Is profiling being used, for example,
if a foreign military attacks the U.S.
and with the Internet it's a lot,
regardless of where the packet originates from,
it's a lot of times hard to find out who's actually sending it.
Is profiling being used, for example,
to find out which country is attacking us
or if it is a country or a terrorist organization for that matter?
Well, I don't think that in looking at packets
and the origin of the different nodes that they come from
is going to, could be used in the profiling capacity,
as you've suggested,
but I think that it's certainly an issue that will take on importance
as we get more, a bigger knowledge base about what we're doing.
Other questions?
Okay.
Let's see.
If you have some,
if you would like to engage in some conversation about these issues,
I'd be happy to do so.
This is my first Black Hat and first DEFCON.
It will not be my last,
and I hope to come back next time
and sit where you're sitting and learn about what you're doing.
Thank you very much.
Thank you.
Thank you.
